fix: security hardening from pentest findings #6

2026-05-07T01:58:47Z

will.anderson commented

2026-05-07 01:58:47 +00:00

Summary

Turnstile enforcement: server-side verification on /api/demo — rejects requests without valid cf-turnstile-response; secret read from TURNSTILE_SECRET_KEY (Secret Manager); fixes /v0/ → /v1/ siteverify URL
Security headers: all responses now include HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
GCS error sanitization: /share/<id> no longer leaks bucket name in error responses
SRI on marked.min.js: added integrity + crossorigin attributes to CDN script tag
robots.txt: removed Sitemap: reference to non-existent sitemap.xml
Attestations routing: /api/attest writes to GCS_ATTEST_BUCKET (dedicated private bucket); falls back to GCS_SHARE_BUCKET for legacy deploys

Infrastructure (already live)

neuron-shares-prod public access revoked
neuron-attestations-prod private bucket created; 13 existing attestation records migrated
turnstile-secret-key seeded in Secret Manager
SPF → -all, DMARC → p=reject, HTTP redirect :443 fixed

## Summary - **Turnstile enforcement**: server-side verification on `/api/demo` — rejects requests without valid `cf-turnstile-response`; secret read from `TURNSTILE_SECRET_KEY` (Secret Manager); fixes `/v0/` → `/v1/` siteverify URL - **Security headers**: all responses now include HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy - **GCS error sanitization**: `/share/<id>` no longer leaks bucket name in error responses - **SRI on marked.min.js**: added `integrity` + `crossorigin` attributes to CDN script tag - **robots.txt**: removed `Sitemap:` reference to non-existent `sitemap.xml` - **Attestations routing**: `/api/attest` writes to `GCS_ATTEST_BUCKET` (dedicated private bucket); falls back to `GCS_SHARE_BUCKET` for legacy deploys ## Infrastructure (already live) - `neuron-shares-prod` public access revoked - `neuron-attestations-prod` private bucket created; 13 existing attestation records migrated - `turnstile-secret-key` seeded in Secret Manager - SPF → `-all`, DMARC → `p=reject`, HTTP redirect `:443` fixed

will.anderson added 1 commit 2026-05-07 01:58:49 +00:00

Fix pentest security findings 8d741fac20

- Turnstile server-side verification: reject requests with no cf_token;
  read secret from TURNSTILE_SECRET_KEY env (no longer hardcoded); fix
  siteverify URL from v0 to v1
- Security headers: wrap all responses via http_response() with HSTS,
  X-Content-Type-Options, X-Frame-Options, Referrer-Policy,
  Permissions-Policy, and Content-Security-Policy
- GCS error info leak: guard /share/<id> response — only return content
  that starts with '<' (valid HTML); GCS error JSON is silently 404d
- robots.txt: remove Sitemap reference to sitemap.xml that returns 404
- SRI hash: add integrity + crossorigin attributes to marked.min.js CDN tag
- Attestations bucket: write /api/attest records to GCS_ATTEST_BUCKET
  (dedicated private bucket) instead of the share bucket; falls back to
  GCS_SHARE_BUCKET if GCS_ATTEST_BUCKET is not set (legacy deploys)

will.anderson merged commit f19403ba68 into stage

2026-05-07 02:02:52 +00:00

will.anderson referenced this issue from a commit

2026-05-07 02:02:52 +00:00

Merge pull request 'fix: security hardening from pentest findings' (#6) from fix/pentest-security-hardening into stage

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: neuron-technologies/neuron-web#6